Okta widget - I cannot see sessions or userInfo during logout from other page

Questions OAuth/OIDC
1

Hi,

I am using Okta widget to authenticate user - version 7.1.1.
I have followed the sample from here:

https://developer.okta.com/docs/guides/embedded-siw/main/#create-a-simple-spa

I initialise the OktaSingIn using this kind of method:

function initialiseOktaSignIn(oIssurerUri, oRedirectUri, oClientId){
    var oktaConfig = {
            issuer: oIssurerUri
            , redirectUri: oRedirectUri
            , clientId: oClientId
    }

    // Search for URL Parameters to see if a user is being routed to the application to recover password
    var searchParams = new URL(window.location.href).searchParams;
    oktaConfig.otp = searchParams.get('otp');
    oktaConfig.state = searchParams.get('state');

	return new OktaSignIn(oktaConfig);
}

I can login and I can validate the received idToken using /introspect call.
The login is on page 1:

domain/ctx/app/p1

Then I have my portal pages:

domain/ctx/app/home

And I have logout button on the portal pages. Now I would like to leverage okta widget to logout the user from okta before I redirect him to another process which clears other stuff out. So I created a logout function where I once again initialise the oktaSignIn using the same parameters and the same function which I added before:

function caOktaWidgetLogout(oIssurerUri, oRedirectUri, oClientId) {
		const oktaSignIn = initialiseOktaSignIn(oIssurerUri, oRedirectUri, oClientId);
		
		oktaSignIn.authClient.token.getUserInfo().then(function(user) {
			console.log("USER INFO: " + JSON.stringify(user));
		}, function(error) {
			console.log("USER NOT FOUND");
		});
		
		oktaSignIn.authClient.session.exists().then(function(exists) {
			if (exists) {
				console.log("Session EXISTS");
			} else {
				console.log("Session DOES NOT EXISTS"); 
			}
		});
		
		oktaSignIn.authClient.signOut();
		
		//location.reload();
		window.event.preventDefault();
		//location.reload();
}

Now during the logout function I can see that the oktaSignIn.authClient doesn’t return any user or session so oktaSignIn.authClient.signOut(); doesn’t sign the user out and I still can see that the token is active using the /introspect call.

What am I doing wrongly??? Is it possible to do it the way I want to do it? Or the issue is that I create the oktaSignIn object second time?

Thanks,

2

Hello,

Is there any errors in the browsers dev console when you run this and logout is run?

The call to getUserInfo() does not wait before calling signOut() whee again there is no wait.
Potentially you might see some inconsistencies here depending on the timing.

The sessions API is based off your Okta session cookie and doesn’t have anything to do with the local token storage.

You don’t clear out local storage at any point in your application when going from domain/ctx/app/p1 to domain/ctx/app/home or anytime before attempted logout?

Thank You

3 Likes
3

Thank you very much for your replay.
Pointing me towards Okta’s cookie was all I needed!

I have noticed that on my subdomain the cookie is not getting pulled as I was initializing the Okta oktaSingIn during logout call so the cookies never was accessible (cookies from the okta domain). I changed to initialise it after page loading instead and made a call to getUserInfo to check if the user is there and it pulled the missing okta domain cookies for me so I could logout the session.

Thank you very much!

4

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.